Network discovery is an essential part of both network management and cyber threat intelligence tasks, with the former often conducted by a network or system administrator, and the latter performed by infosec researchers and penetration testers.

Search Blog

×

Table of contents

Regardless of the task you might need it for, we posted an article about IP scanner tools last week that may prove very helpful if you need to build your IP space map. But what happens when you need to go one step ahead of a simple IP map? What if you need to build a full network map with details such as OS, hardware, services and ports to analyze your attack surface area?

In that case, one of the most promising developments we’ve found lately is the Rumble Network Discovery platform. This valuable resource will help you perform network discovery tasks within seconds against your own networks or against 3rd party networks, making it a practical OSINT tool to keep in your infosec arsenal.

Today we’ll explore Rumble Network Discovery, learning about what it is, and exploring its main features, requirements, installation and how it’s used to perform network scans.

What is Rumble Network Discovery?

Created by HD Moore, Rumble Network Discovery is a new infosec tool used for network mapping from both sides, blue teams as well as red teams.

RND helps infosec researchers and network engineers identify connected computers, routers and other devices within a network, extract all relevant details possible, collect the data, compare it against a giant fingerprint database, and show you its findings in an elegant and readable way so you can analyze it properly.

Rumble works by using a centralized GUI console that runs on https://console.rumble.run, which receives its data from single or multiple agents running on different servers.

That’s one of its few requirements.. Other than installing the agent, it works out of the box for most operating systems, allowing you to rapidly discover network-connected assets without intrusive network traffic capturing/sniffing or any type of login credentials.

How can I test it?

First things first! Before you can play with this interesting tool, you’ll need to create a free account on the official website at https://rumble.run and click the ‘Beta Signup’ button.

Once you sign up, an activation code will be sent to your email, and from that point on your account will be ready for installing agents and performing a wide range of network scanning tasks.

research@securitytrails.com:~/temp# ./rumble-agent-linux-amd64.bin
{"level":"info","msg":"failed to find a hostID, generating a new one","time":"2019-08-23T13:30:03Z"}
{"level":"info","msg":"installing rumble-agent-44af0223-9cf9-4076-962c-f0bc841d9bc9 to /opt/rumble/bin/rumble-agent-44af0223-9cf9-4076-962c-f0bc841d9bc9 from /root/temp/rumble-agent-linux-amd64.bin","time":"2019-08-23T13:30:03Z"}
{"level":"info","msg":"cleaning up any prior installation...","time":"2019-08-23T13:30:03Z"}
{"level":"info","msg":"writing executable to /opt/rumble/bin/rumble-agent-44af0223-9cf9-4076-962c-f0bc841d9bc9...","time":"2019-08-23T13:30:03Z"}
{"level":"info","msg":"installing service rumble-agent-44af0223-9cf9-4076-962c-f0bc841d9bc9...","time":"2019-08-23T13:30:03Z"}
{"level":"info","msg":"starting service rumble-agent-44af0223-9cf9-4076-962c-f0bc841d9bc9...","time":"2019-08-23T13:30:04Z"}
{"level":"info","msg":"installation complete","time":"2019-08-23T13:30:04Z"}
research@securitytrails.com:~/temp#

GUI-based scanning

Once you have installed an agent, the web-based interface can be accessed from https://console.rumble.run/ and offers a wide range of options for you to choose from, however, we’re focusing here on the main features that allow you to perform scans and check out results.

Before running the scan, you must create a site. So, let’s move over to the menu on the left and click “Site”. Then just fill the form with some descriptive text, as you see below:

To perform a scan, go to “Inventory” on your left, then click on “New Scan”.

Performing scans without firewalls enabled is the ideal scenario—however, we’ve been testing this against “protected” websites with system firewalls and it works just fine. Rumble effectively avoids general banning and network blocks thanks to its non-intrusive scan nature.

From here you’ll be able to configure a wide number of settings including:

TCP Ports: View the full list of tcp ports to scan. The default list is generally sufficient, but you can customize it to match your needs

Other options include scheduling hourly, daily, weekly or monthly scans, as well as tweaking the scan speed and maximum host rate

Once the scan is running, you will be redirected to a new interface called ‘Tasks’ (located at the left menu), where you’ll see current running scans as well as completed scans:

Click on the scan you want to explore. On the new page you’ll see information including Site Details and Site Change Summary.

Directly below that, all the IP ranges and websites you scanned will be displayed, allowing you to pivot between them to find more information about each network asset:

By clicking on any of the previous IPs, you’ll get even more details about that specific host, such as Type of asset, OS, Hardware, and First Seen and Last Seen dates.

A full list of hostnames and domain names associated with those IP ranges will be displayed at your right.

Below that information, at your left, more data will be displayed depending on the discovered ports and services running on that server, as you can see in the next screenshot from the OpenSSH server:

The same goes for 80 port, including all its header and network details:

Once all scans are finished, assets and search results can be exported as JSON Lines, JSON Document, Nmap XML and CSV for later integration and analysis.

If you go back to the Dashboard (on the left menu) after running a few scans against IP ranges and websites, details and stats will appear showing the Top 10 Asset Types, Top 10 Asset OS and Top 10 Asset Hardware, as well as the total number of identified assets and discovered TCP/UDP ports.

Following that information, you’ll also be able to explore statistics obtained from your TCP, UDP, products and protocols.

Terminal-based scanning

For old-school nerds, Rumble also offers the ability to run scans from the terminal. For this you’ll need to install the Rumble command line scanner.

Fortunately, this procedure is painless. Just copy and paste the following into your box:

You can also specify a custom directory output by using -o [output-directory].

Conclusion

Rumble Network Discovery is an outstanding addition to the current range of OSINT tools available to help you with your daily infosec intel-reconnaissance tasks. It is, without a doubt, a valuable resource from HD Moore.

While this tool can definitely assist with your network discovery duties, there’s even more to explore regarding servers, IP addresses and domain names.

Jump swiftly and securely to the next level of OSINT: automate your IPs, domains and DNS exploration by using our powerful API. Sign up today for a free API account or book a demo with our sales team to test SurfaceBrowser™, our all-in-one enterprise-grade product that can give you an eye-opening look at the entire surface area of any company in the world—including yours.

Sign up for our newsletter today!

Get the best cybersec research, news, tools,and interviews with industry leaders